Re: [ossec-list] Decoder help

Sun, 04 Aug 2013 14:18:10 -0700 

However!!!

When I paste the line in without the preceding spaces / tab, it works just 
fine. so I just need to handle the tab/spaces. 

Jared


ossec-testrule: Type one log per line.

[2013-08-03 23:45:24,461] javax.mail.AuthenticationFailedException


**Phase 1: Completed pre-decoding.
       full event: '[2013-08-03 23:45:24,461] 
javax.mail.AuthenticationFailedException'
       hostname: 'alienvault4sim'
       program_name: '(null)'
       log: '[2013-08-03 23:45:24,461] 
javax.mail.AuthenticationFailedException'

**Phase 2: Completed decoding.
       decoder: 'MailFailRLB'

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.



        [2013-08-03 23:45:24,461] javax.mail.AuthenticationFailedException


**Phase 1: Completed pre-decoding.
       full event: '    [2013-08-03 23:45:24,461] 
javax.mail.AuthenticationFailedException'
       hostname: 'alienvault4sim'
       program_name: '(null)'
       log: '   [2013-08-03 23:45:24,461] 
javax.mail.AuthenticationFailedException'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1002'
       Level: '2'
       Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.


On Sunday, August 4, 2013 2:27:15 PM UTC-4, Michael Starks wrote:
>
> On 08/04/2013 12:19 PM, Jared wrote: 
> > Would someone be so kind as to tell me what I am missing here? 
> > 
> > Raw log line: 
> > 
> >      [2013-08-03 23:45:24,461] javax.mail.AuthenticationFailedException 
> > 
> > 
> tab-bracket-yyyy-dash-mm-dd-space-hh-colon-mm-colon-ss-comma(punctuation)-nnn-bracket
>  
>
> > someRandomText 
> > 
> > Decoder: 
> > 
> > <decoder name="MailFailRLB"> 
> > <prematch>^\t[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d] \w+ 
> > javax.mail.AuthenticationFailedException</prematch> 
> > </decoder> 
> > 
> > Is missing something. 
>
> Try this: 
>
> <decoder name="MailFailRLB"> 
> <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d,\d\d\d] 
> javax.mail.AuthenticationFailedException</prematch> 
> </decoder> 
>
> There were two problems: 
> 1. No tab at the beginning of the log line 
> 2. no \w+ prior to javax.mail.AuthenticationFailedException 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to